How Vulnerable Is SMB1 To Ransomware Attacks?

SMB or Server Message Block is a popular term in computer networking. Barry Feigenbaum originally at IBM designed SMB in the 1980s. The main purpose of SMB is providing shared access to printers, files and serial ports between nodes on a network. It can carry transaction protocols for inter-process communication.

The usage of the Server Message Block mainly includes Windows computer. The Windows services used for server component and the client component are LAN Manager Server and LAN Manager Workstation respectively.

Let’s know more about SMB version 1.

History Of SMB1

Server Message Block, SMB was originally designed by IBM and was utilized by Microsoft in LAN Manager product in the mid-1990s. The aim of SMB was to turn DOS INT 21h local file access into a networked file system. SMB 1.0 was renamed as Common Internet File System. In layman language, we may safely say that this was the beginning of networking, where the local file system was being made available over a network.

In the beginning, the implementation of SMB 1.0 had a lot of issues which stuck SMB for handling small files for end users. Moreover, the protocol was chatty, therefore performance over distance was not good. Microsoft made changes to the version and merged SMB protocol with LAN Manager product, which it started developing for OS/2 with 3Com around 1990. Since then, it started adding features to the protocol in Windows for Workgroups and in later versions of Windows. With CIFS 1996, Microsoft developed SMB dialect which came along Windows 95. A few things got added with this, support for larger file sizes, transport directly over TCP/IP, and symbolic links & hard links.

How Does It Work ?

SMB protocol is used to enable the user of an application to access files on a remote server, along with other resources, which includes printers, mail slots and more. Therefore, a client app can access, read, create, move and make changes to a file on a remote server. It can also connect to any server program that is set up to receive an SMB client request.

SMB protocol is also known as a response-request protocol, as it sends multiple messages between server and client to establish a connection. The SMB protocol works in Layer 7 or application layer and you can use it over TCP/IP on port 445 for transport. The early versions of SMB protocol use the API (application programming interface) NetBIOS over TCP/IP.

Nowadays NetBIOS over a transport protocol is required to communicate with devices that do not support SMB directly over TCP/IP.

How Does SMB1 Cause Ransomware And Other Attacks ?

You must be familiar with WannaCry Ransomware, which was the reason due to which a lot of businesses were duped out of money. These kinds of ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate via an organization’s network.

Generally, attackers use phishing emails to infect the targeted system, however, WannaCry was different. It targeted public facing SMB ports and used the alleged NSA-leaked EternalBlue exploit to enter the network and then allegedly used DoublePulsar exploit to establish persistence and support the installation of the WannaCry Ransomware.

Why Is it So Effective?

To harm on a higher rate, a worm-like infection needs to continue spreading itself so that it needs little effort for multiplying returns. That’s when the SMB vulnerabilities come to use, for spreading laterally through connected systems.

These unnecessary protocols like SMB & network segmentation should be disabled as they potentially make systems exposed to hackers. Also, it is recommended to keep all systems updated to the latest versions of operating systems and apply patches of security updates with time.

The SMB settings are enabled on all the systems, however, not necessarily needed by all. Therefore, if you are not using them, it is recommended to disable SMB1 and other communication protocols.

Wannacry utilized only two cyber tools to abuse SMB vulnerabilities. Well, this is not the only ransomware attack that used SMB vulnerabilities. An upcoming worm, EternalRocks will come with seven cyber tools to infect systems around the world.

How Did The Attack Take Place?

Currently, there are three exploits, namely EternalBlue, EternalChampion and EternalRomance, that are out in the open and could take advantage of SMB vulnerabilities. EternalBlue was used by WannaCry & Emotet. Eternal Romance was used by Bad Rabbit, NotPetya & TrickBot. One more exploit called EternalSynergy is also present.

A hacker group named ShadowBrokers leaked all these exploits. Within a month, Eternal Blue exploit was used, WannaCry was spread like a wildfire.

EternalRocks uses DoublePulsar as a backdoor for malware to be installed on infected systems.

Research shows that the backdoor is still not protected and other hackers could use it as a medium to introduce their malware and destroy systems.

After that, various large-scale malware attacks such as Bad Rabbit and Not Petya have employed SMB vulnerabilities to enter organizations’ networks in 2017. In the third and fourth quarter of 2018, the Emotet and TrickBot Trojan attacks were at the peak.

We have read enough about SMB version 1 and its vulnerabilities, if we are not using SMB 1, then you are better off without it.

In the next segment, we will talk about how to detect, enable or disable SMB1 on Windows. So, let’s proceed!

To check the value, right-click on SMB and click on Modify. Check for Value Data in it.

Note: In case you don’t find SMB (DWORD), then you can create it. Right click on the right side of the panel. Click on New and select DWORD. Name that key SMB1.

Note You need to restart your computer once you have made these changes.

In case you think your system has been under the influence of any malicious attack or you want to prevent them in future, then you can always install protection tools such as Advanced System Protector by Systweak. Advanced System Protector is one stop solution as it is power packed with antimalware, antispyware, and antivirus techniques to fight off all infections present on your system.

Also, it is always recommended to create a backup of your system to ensure your data is safe. There are a lot of data backup tools available, however, having the right one with you counts. Right Backup is one of the most reliable tools when it comes to backing up your data as it comes with SSL encryption. It makes your data accessible on every device you have. All you need to do is upload your data on it and the backup service will keep it safe in secure cloud servers.

So, in this way, you can easily disable/enable the Server Message Block (SMB 1). Security concerns are not new, but the disruption caused by WannaCry Ransomware should be considered as a wake-up call. As it uses vulnerabilities of SMB1 services of Windows operating system to initiate the attack. Even Microsoft itself recommends disabling SMB1 for security reasons, therefore keeping it disabled could help you prevent these ransomware from victimizing your system.

Also, to make sure your data is safe and your system is protected you can always rely on Right Backup and Advanced System Protector respectively.

All product names, trademarks and registered trademarks are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.

Disclaimer Last updated: January 30, 2019 The information contained on blogs.systweak.com website (the "Service") is for general information purposes only. Systweak Blogs assumes no responsibility for errors or omissions in the contents on the Service. In no event shall Systweak Blogs be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. Systweak Blogs reserves the right to make additions, deletions, or modification to the contents on the Service at any time without prior notice. Systweak Blogs does not warrant that the website is free of viruses or other harmful components. External links disclaimer blogs.systweak.com website may contain links to external websites that are not provided or maintained by or may not be in any way affiliated with Systweak Blogs Please note that the Systweak Blogs does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.

Keep in mind that we may receive commissions when you click our links and make purchases. However, this does not impact our reviews and comparisons. We try our best to keep things fair and balanced, in order to help you make the best choice for you.